Heimdall

Securing MCP servers against LotL abuse

year
2025
w/
ITU & Anthropic Bug Bounty
role
ethical hacker, researcher, developer
at
ITU · Copenhagen

Heimdall (formerly Claude Defender) grew out of my security research into the Model Context Protocol (MCP) ecosystem. During this work, I identified multiple vulnerabilities in Claude Desktop’s MCP implementation, demonstrating how Claude Desktop could be abused as a Living off the Land (LotL) execution vector, leading to remote code execution, and how modified MCP servers could remain trusted through tool poisoning. I responsibly disclosed the findings to Anthropic, resulting in one duplicate report and one informative report, where the behaviour was acknowledged but considered outside their threat model. The research formed the basis of my university dissertation, which received the highest possible grade.

Around the same time, the tool poisoning attack pattern had not yet been formally published. As part of this research, I independently explored the technique and later built Heimdall as a practical mitigation. Initially developed for Claude Desktop, the project has since evolved into a cross-platform integrity monitor for the wider MCP ecosystem, supporting Claude Desktop, Claude Code, Cursor, Windsurf, LM Studio, and custom MCP configurations.

Rather than attempting to detect malicious behaviour directly, Heimdall focuses on ensuring that trusted MCP servers remain trustworthy. It continuously monitors the files AI agents rely on, providing immediate visibility whenever an MCP configuration or server changes unexpectedly.

A key challenge for integrity monitoring is protecting the trusted baseline itself. Heimdall addresses this through trustroot, a cryptographically authenticated trust store that signs every integrity record using a keyed BLAKE3 MAC. The signing key is stored inside the operating system’s secure credential store rather than on disk, making it significantly more difficult for an attacker with only file-write access to silently replace both the monitored files and the baseline used to verify them.

Beyond integrity monitoring, Heimdall provides an investigation layer for MCP environments. Users can inspect syntax-highlighted file diffs, accept or revert changes, quarantine suspicious MCP servers, analyse Claude's runtime logs to reconstruct server activity, and export signed audit reports for later review. The same detection engine is also available through a lightweight headless CLI suitable for continuous monitoring and scripting.

Heimdall is open source and serves as both a defensive tool and a proof of concept for strengthening the security of local AI agents and MCP-based workflows.

Future work focuses on extending Heimdall’s trust model beyond the local machine. Planned improvements include signed software releases with reproducible build metadata, remote anchoring of the cryptographically authenticated audit chain, deeper correlation between runtime behaviour and configuration changes, and replacing the current WebView-based interface with a native desktop frontend to further reduce resource usage. Longer term, the project aims to generalise its integrity model beyond today’s MCP ecosystem as local AI tooling continues to evolve.

ModeFootprint
Headless watcher~7.5 MB RAM · ~0.1% CPU · event-driven (no polling)
Desktop GUI~35 MB engine + WebView2 runtime (mostly shared OS pages)

The headless watcher performs effectively no work while idle, waking only when a monitored MCP configuration or server file changes. Detection is typically sub-second, using an event-driven filesystem watcher rather than periodic polling. The desktop application uses the same detection engine while providing an interface for reviewing changes, intrusion analysis, quarantine, and audit reporting.

Or, if you still want to keep the installation paths (since they’re useful), simply update them and separate them from the performance section:

OSState directory
Windows%LOCALAPPDATA%\MCPMonitor\
macOS~/Library/Application Support/MCPMonitor/
Linux~/.local/share/MCPMonitor/

also see